Founders in Focus: Wayne Chang of Spruce

Each month we highlight one of the founders of Okta Ventures’ portfolio companies. You’ll get to know more about them and learn how they work with Okta. This month we’re speaking with Wayne Chang of Spruce.

What is Spruce and what is your mission?

Spruce is an open-source software company with the mission to let users control their data across the web, starting with Web3.

What were you doing prior to Spruce that led you to this moment?

Before Spruce, I was part of the leadership team for decentralized identity initiatives at ConsenSys, which incubated uPort, one of the first self-sovereign identity projects ever. It was at ConsenSys that we realized the power of the core technology. It gives individuals control, while phasing out rent-seeking intermediaries, and empowers end-users. Essentially, it diminishes the power of platforms that rely on keeping users locked in. The combination of self-sovereign identity and Web3 enables a model where being locked into a specific platform is erased, and control returns to the user—a victory for consumer choice. That’s what we’re trying to continue and bolster at Spruce.

What is Spruce’s solution? What challenges does it solve? 

We believe the world is moving away from today’s centralized model, where users log in to platforms and may or may not be granted access based on various factors, to a decentralized model, where platforms access a users’ personal data vault, and the user is empowered to adjust permissions for anyone, at any time.

To get there, we must move towards open authentication systems based on public-key cryptography, such as Sign-In with Ethereum. Ethereum has tens of millions of monthly active users, and the ones we have spoken to are excited to take back their digital control. As these systems are developing, we’re seeing a new class of compatible technologies, such as personal data vaults like Kepler. This software allows individuals, companies, and decentralized autonomous organizations to host and protect their data wherever they want, whether it’s with a company they trust or a server in their basement—all without interruption of service.

There will also be a shift away from proprietary databases and shadow profiles, and toward open standards that allow for digital credentials, exportable social media graphs, and data—all fully controlled by the user. We combine many of these open standards into two open-source products under the Apache 2.0 license: the decentralized identity toolkit DIDKit, and the white label-ready credential wallet Credible.

Why did Spruce want to work with Okta?

We wanted to work with Okta because companies that choose Okta tend to take security and data ownership pretty seriously. It’s the top vendor recommended when companies are standardizing their company single sign-on strategy in pursuit of better security, digital accountability, or security compliance standards like SOC 2, ISO 27001, or FedRamp. We’re customers as well as Okta partners.

These companies also tend to care about data sovereignty, zero-trust architectures, digital credentialing, and user-centric data workflows such as those found in Web3. Spruce solves many of these problem categories, and we’re grateful to have the opportunity to collaborate with these companies in a way that works seamlessly with existing Okta installations. For example, our product allows any Okta or Auth0 customer to securely interact with blockchain accounts simply by installing a marketplace plugin.

How is Spruce working with Okta? What support do you look for in a corporate partner?

We are working with Okta in several ways. First, we are happy to announce the release of our Sign-In with Ethereum integration to the Auth0 marketplace, which allows any Auth0 customer to implement the Sign-In with Ethereum workflow with the click of a button to resolve data from the blockchain.

In the near future, we hope to package our decentralized identity libraries to allow any Auth0 and Okta customer to enable data interoperability with W3C Verifiable Credentials and W3C Decentralized Identifiers. This means that Okta customers can share trusted data with each other, including professional certifications, cross-organizational approvals, budgets, financial statements, and much more, all while tightly controlling access criteria to the satisfaction of the CISOs.

When working with a corporate partner, we look for scale and aligned incentives. It’s apparent that Okta has the scale, with hundreds of millions of users on the service. What was especially impressive to us was how aligned the incentives were for Spruce, Okta, and even Okta’s customers. Okta’s leadership firmly believes in innovation, that the world is non-zero-sum, and there will be huge sectors opening up as we continue our transition into the digital age. Also, because Okta offers a straightforward service that doesn’t monetize customer data, we find it to be well-aligned with our vision of data sovereignty.

What trends do you expect to see in the Decentralized Identity industry? 

The following trends are combining into the perfect storm for the adoption of decentralized identity.

• The proliferation of Web3. Web3 is proving to be the biggest movement of users taking back digital control that we’ve seen, it is also the most successful Public Key Infrastructure adoption event ever. For all decentralized identity projects, the widespread use of public-key cryptography is critical for successful rollouts. We think this thoroughly answers the question, “why now?”
   
• Antitrust rulings, data privacy regulations, and growing user distrust of ”big tech”. It’s no surprise that the FTC and the general public are upset about what’s seen as large tech companies lacking accountability and hoarding data and power.. People are growing wiser as to what’s happening to their information behind the scenes, and they don’t like it. Given this climate, many data privacy officers may actually prefer that user data be stored directly with their customers, and accessed only when necessary. They understand that much of the data their organizations store today may become illegal to hold without additional consent processes in place. As organizations are mandated by government regulations to allow users to export all their data in a useful way, we think personal data vaults will emerge as a popular way for users to take back control, while also mitigating privacy risks for corporations.
   
• The transition to Zero Trust architecture. The White House has released a federal strategy toward Zero Trust, and this is a massive shift in the security industry. This change will favor systems built on public-key cryptography with next-generation authentication/authorization systems. The kinds of authentication and authorization we’re working on are in exact alignment.
   
• The emergence of the data supply chain. We think the world is growing smaller. In order to compete, companies will need to share more information with their collaborations than they ever have before. Data will be tracked and traced like assets along a physical supply chain, but instead of paper bills of lading, there will be digital certificates of origin, user consent packages, and certifications of data anonymization. This is all enabled using the tools from decentralized identity, in which not just people, but anything, can have an identifier–even an Excel file.

Interested in joining Okta Ventures? Check out our FAQ here and feel free to reach out to our team or submit your business for review.